United States Senate Committee on the Judiciary
Reforming the FBI in the 21st Century: The Lessons of the Hanssen Espionage Case
April 9, 2002

The Honorable Patrick Leahy
United States Senator , Vermont

Introduction. Since last summer, the Senate Judiciary Committee has been holding regular oversight hearings on the future of the FBI as it prepares for the challenges of the 21st Century. Today’s hearing is a stark reminder that some of the challenges facing the FBI are as old as the Republic. Today, we focus on the role of the FBI as a protector of the highly classified secrets that are the crown jewels of our national security. The report by the Commission chaired by Judge William Webster, unfortunately, demonstrates the vulnerability of the FBI in fulfilling this basic function. With the American people depending more than ever on the FBI to protect it against terrorism, that vulnerability must end.

It is this Committee’s responsibility to ensure that the FBI becomes is as great as it can be, and this series of FBI oversight hearings is an important part of the process, as is the legislation that Senator Grassley and I have introduced to implement many of the FBI reforms recommended by the Webster Commission.

The Webster Commission Report. The treason of former FBI Supervisory Special Agent Robert Hanssen was a shocking revelation not only to all Americans, but also to the thousands of dedicated FBI agents and personnel who work around-the-clock and in far-flung places around the globe to make this country a safer place to live and raise our families. Attorney General Ashcroft was right to ask Judge Webster and other outside experts to evaluate the FBI’s security programs in light of the Hanssen espionage case. In their report, released last week, the Commission members brought to bear their collective decades of public service at the highest ranks of our government.

An extraordinarily qualified group was assembled to study these issues of national security, law enforcement and intelligence, and its report is as thorough as it is chilling. The findings are not academic. They have important implications for the FBI’s operations in the post-September 11 era.

At least one of the “significant deficiencies” and “security risk[s]” documented in the Webster Commission’s Report are the result of new policies adopted in response to the September 11 attacks and without proper consultation with security experts.

The Commission’s findings and recommendations are crucial to the FBI’s efforts to fight terrorism and protect national security, as will be the recommendations of the skillful Justice Department Inspector General, who is investigating other aspects of the Hanssen matter for a report he will issue later this year.

The Webster Commission’s Findings. This report is another wake up call to the FBI. Yet every time a wake up call comes, the FBI’s institutional reflex has been to hit the snooze button. That must change. In this oversight series of hearings, begun last year, this committee is determined to help the FBI break that pattern. Working with the Attorney General, the Director of the FBI, and others, this committee wants to help them ensure that the FBI learns from its mistakes and becomes all that the nation needs it to be. The Webster report exposes within the FBI what the report calls a “pervasive inattention to security, which has been at best a low priority in recent years.”

The report describes an FBI where computers so poorly protect sensitive material that the FBI’s own agents refuse to put important information on the FBI’s official system. It tells the story of an FBI where background investigations for those who supposedly protect our nation’s most sensitive secrets are conducted using a “checklist approach,” rather than analysis.

It paints a picture of an FBI where employees are not adequately trained on basic document security practices and where there is little or no centralized analysis of security breaches. In short, the Webster Commission found not one or two problems, but “serious deficiencies in most security programs [it] analyzed within the Bureau,” and that, “when compared with best practices within the Intelligence Community, FBI security programs fall far short.” The report described an FBI security system that is essentially bankrupt. There are three key findings from the report that warrant our closest scrutiny.

First, the Commission found that Robert Hanssen’s activities merely brought to light broader and more systemic security problems at the FBI. For instance, Hanssen’s ability to mine the FBI’s computer system for national secrets for more than 20 years points to serious weaknesses in information security. Hanssen himself said that “any clerk in the Bureau” could have done what he did, and he described the FBI’s efforts at computer security as “criminal negligence.” Hanssen’s promotion to sensitive FBI positions where he was trusted with our most sensitive national secrets – all while he was a paid Soviet spy – exposes systemic problems in the FBI’s personnel security processes.

Hanssen’s ability to copy highly sensitive FBI documents and, as he put it, simply “bring documents out of FBI headquarters without ... ever having a risk of being searched, or looked at, or even concerned about,” reveals serious shortcomings in both document and physical security at the FBI which must be addressed. In short, Hanssen, cunning though he may be, was able simply and easily to take advantage of the FBI’s systemic security defects. Those defects must be fixed.

Second, the Commission found that the best way to protect information is not to shut down information flow completely either within the FBI or from the FBI to outsiders. Indeed, that type of reaction is inimical both to a free society and to effective law enforcement. Instead, the Webster Commission found that the FBI needs to do a better job of what is known as “defense-in-depth” security – that is, identifying what is truly sensitive information, and then creating a layered approach to protect it. Most critically, that means enforcing all important “need to know” rules, which are largely ignored at the FBI, and doing better security training of FBI employees.

Finally, and most disturbing, the Commission found that the systemic problems which allowed Robert Hanssen to compromise national security for so long are not ancient history, but they permeate today’s FBI. Most alarming to me, the Commission found that decisions since September 11 have resulted in “substantial sensitive source material” from FISA surveillance being made generally accessible on the FBI’s computers to FBI personnel and then being inadequately protected.

The Commission points out this breach not only presents a security risk which must be corrected “as soon as possible,” but it is a breach that also could create constitutional issues which might endanger terrorism prosecutions. This was all done without consulting Justice Department officials or security experts. The report is clear: When the post-September 11 crunch was on to investigate at all costs, security was once again discarded at the risk of jeopardizing sources and methods that are critical to gathering intelligence on terrorism and to other national security interests. Who will agree to become a confidential source for the FBI, or for other agencies that share sensitive intelligence with the FBI, if effective safeguards are not in place to prevent disclosure to another Hanssen?

I must also add that, as one who helped write the USA PATRIOT Act -- which gave the FBI new surveillance powers-- and as one of many who is dedicated to proper congressional oversight of the proper use of that new power until its sunset, the Webster Commission Report raises particular concern. As the report makes clear, the FBI’s actions since September 11 “send[] a clear message that the FBI’s security organization is irrelevant during an operational crisis.”
In addition, the report raises concerns that security features in Trilogy, the FBI’s billion-dollar computer upgrade, are also being sacrificed in return for short-term operational benefits.

The Commission acknowledges the basic tension between conducting effective law enforcement, which often requires information sharing, and protecting intelligence operations, which often requires restricting the flow of information to prevent compromising valuable sources. The Commissioners pointedly state that “whether the two can co-exist in one organization is a difficult question . . . .” That tension has been especially acute since September 11, but the FBI, facing pressing investigative needs, cannot continue to sacrifice long term interests in preventing future national security threats for the sake of investigating crimes that have already occurred.
The Report’s Recommendations. The FBI should respond to the alarms set off by this report not by denying the problems, but by confronting them and rebuilding its security from the ground up. The Hanssen case proves that circling the wagons does not work when the enemy is already inside the circle. Director Mueller has already begun taking some important steps in the right direction, but he needs to do far more, and I will continue to support him in that effort. The Commission makes some important recommendations for improvement, and I am confident that Director Mueller will conscientiously consider them. Of the many fine recommendations, one common sense proposal stands out: to establish a system under which security lapses in any one particular agency can lead to improvements throughout the entire intelligence community.

That way, as the Commission points out, our country can establish a coherent nationwide approach to security. The Commission specifically cites a proposal for such National Security Program that I made sixteen years ago, when I was Vice Chairman of the Intelligence Committee and Judge Webster was FBI Director. The Intelligence Committee issued a report in 1986 on “Meeting the Espionage Challenge” after we had gone through the horrendous “year of the spy” with Walker, Whitworth, Howard, Pollard, Chin, and other spies detected in highly sensitive U.S. military and intelligence organizations.

Today, a national response is equally essential given the continued pattern of espionage cases last year that included not only Hanssen, but also the top Cuban analyst in the Defense Intelligence Agency who was caught spying for Cuba throughout her entire 15-year career, and the alleged attempt by a retired military officer working as a contractor in the National Reconnaissance Office to sell intelligence secrets to the highest bidder. The best example of why the Commission’s message must go beyond the FBI is financial disclosure. The report concludes that the FBI failed to examine Hanssen’s finances, partly because of a poor security re-investigation and partly because the FBI did not implement an Executive Order requirement for regular financial disclosure by employees in the most sensitive positions. In this failing, the FBI is not alone.

Most departments and agencies, other than the CIA, did not implement this requirement when it was adopted after the Ames case, based on a 1994 Congressional mandate in section 801 of the National Security Act, and nothing more has been done since Hanssen’s arrest over a year ago. Hanssen told the Commission, “The only thing that possibly could have uncovered my espionage activities was a complete investigation of my financial positions and deposits to bank accounts.”

I call on the Administration to act immediately to ensure that all relevant departments and agencies implement the financial disclosure requirement in current law. Security against espionage is a national challenge that should not be left to each individual agency without accountability.

The Need for Congressional Action. Too often in the past, recommendations and reports like these have not been treated as real opportunities for reform but as occasions to roll out the spin machine. In fact, on the security issue, the 1997 Justice Department Inspector General’s report on the Aldrich Ames spy case specifically warned that the FBI needed to “develop and maintain a better record-keeping system for tracking” top secret documents, some of the very things which Mr. Hanssen later stole.

I cannot help but think that, as then-FBI Agent and Russian spy Hanssen read the I.G. report, he knew that he could go on just as before, and that the report would wind up in some FBI filing cabinet, never to see the light of day. That cannot happen yet again. That is why Senator Grassley and I have introduced S.1974, the FBI Reform Act of 2002. Our bill calls for many of the reforms now echoed in the Webster Commission Report.

(1) Career Security Program. The report calls for an FBI career security program with status equal to Special Agents. S. 1974 establishes this program to strengthen skills, training, status and leadership for FBI security personnel.

(2) Employee Screening Polygraph Authority. The report endorses regular counterintelligence screening polygraphs for FBI personnel in the most sensitive positions. S. 1974 authorizes such a program with safeguards against misuse.

(3) FBI Computer Security. The report says FBI should make progress reports to the oversight committees for three years. S. 1974 requires a report on FBI computer security and access controls for classified and sensitive but unclassified information.

(4) FBI Police Authority. The report recommends improving the FBI security police force. S. 1974 authorizes better pay and benefits for FBI police who guard FBI facilities.

(5) FBI Counterintelligence Authority.. The report stresses the importance of the FBI’s counterintelligence role. S. 1974 requires a report from the Attorney General on the FBI’s legal authorities, including the need for legislation to replace current non-statutory authority for FBI counterintelligence functions.

(6) FBI Security Whistleblowers. The Commissioners found that “few FBI security violations are reported to security” and, even if reported, violations are not tracked. The Commission proposes a Security Incident Reporting Program to ensure proper reporting and investigation of security violations. Security violation reports will remain few unless personnel doing the reporting feel protected doing so. S. 1974 provides safeguards for FBI whistleblowers who complain when superiors do not remedy security problems.

(7) Inspector General. The entire report shows the need for independent, outside review of FBI problems in security and other fields. S. 1974 codifies the authority of the Justice Department Inspector General to conduct such reviews.

At a hearing with the FBI and the DOJ Inspector General several weeks ago on the belated production of documents in the Oklahoma City bombing case, witnesses before our committee supported codifying the Inspector General’s authority to investigate the FBI, enhancing FBI whistleblower protection, ending the double standard whereby senior FBI management are disciplined less severely than rank and file agents, and coming up with a 10-point plan to move the FBI’s computer systems into the 21st Century. The need for legislation to help reform the FBI is real.

The days of hands-off oversight of the FBI are over, and these hearings serve as a catalyst for reform by encouraging the FBI, under Director Mueller’s leadership, to continue its needed improvements. That is why we are holding, and will continue to hold, these bipartisan FBI oversight hearings.

Now, more than ever, the nation needs the FBI to live up to its potential. In combating terrorism on our shores, the FBI needs to be stronger and smarter and more effective than ever. The stakes are too great and the price too high for anything less.

# # # # #